Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Voice-over-IP Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for voice-over-IP protocol as match conditions in IDP policy rules.

Service Contexts: H225

The table displays the security context details for H225:

Table 1: Service Contexts: H225

Context and Direction

Description

Example of Contexts

h225ras-admission (ANY)

Matches H225RAS admission messages (AdmissionConfirm, AdmissionReject, AdmisssonRequest).

Hexadecimal data of H225RAS transaction in VoIP protocol; highlights show 24 00 as start of RAS protocol.

h225ras-bandwidth (ANY)

Matches H225RAS bandwidth messages (BandwidthConfirm, BandwidthReject, BandwidthRequest).

h225ras-command-state (ANY)

Matches the state of the H225RSA connection.

h225ras-disengage (ANY)

Matches H225RAS disengage messages (DisengageConfirm, DisengageReject, DisengageRequest).

h225ras-gatekeeper (ANY)

Matches H225RAS gatekeeper messages (GatekeeperConfirm, GatekeeperReject, GatekeeperRequest).

h225ras-info (ANY)

Matches H225RAS informational messages (InfoRequestAck, InfoRequestResponse, InfoRequest).

h225ras-location (ANY)

Matches H225RAS location messages (LocationConfirm, LocationReject, LocationRequest).

h225ras-message (ANY)

Matches the broad H225RAS message context.

H225RAS protocol data with hexadecimal values and ASCII interpretation; important fields highlighted; note: 24 00 starts protocol.

h225ras- nonstandard (ANY)

Matches the H225RAS nonstandard message context.

h225ras- registration (ANY)

Matches the H225RAS registration message.

h225ras- resource (ANY)

Matches H225RAS resources available messages (Resources Available Confirm, Resources Available Indicate).

h225ras-rip (STC)

Matches the H225RAS request- in-progress message.

h225ras- servicecontrol (CTS)

Matches the H225RAS service control message.

h225ras- unknown–message (ANY)

Match the H225RAS Unknown message type.

h225ras-unregistration (ANY)

Matches the H225RAS unregistration message.

H.225.0 RAS protocol field in hex dump; "18 40" marks the protocol start with h225ras-unregistration context pattern shown.

h225ras- unspecified-message (ANY)

Matches the H225RAS unspecified message.

h225ras-version (ANY)

Matches the H225RAS version message.

h225sgn-message (ANY)

Matches the H225SGN message body started with the message-type byte.

h225sgn-preamble (ANY)

Matches the H225SGN signaling protocol discriminator and call reference value.

Service Contexts: MGCP

The table displays the security context details for MGCP:

Table 2: Service Contexts: MGCP

Context and Direction

Description

Display Name

mgcp-call-id (ANY)

Matches the MGCP call ID parameter value.

MGCP Call ID

mgcp-command (ANY)

Matches the MGCP command line.

MGCP Command

mgcp-ep-name (ANY)

Matches the MGCP endpoint name specified in command line or command parameters.

MGCP Endpoint name

mgcp-parm (ANY)

Matches the MGCP command parameter value.

MGCP Command Parameter

mgcp-rsp (ANY)

Matches the entire MGCP response line with the return code.

MGCP Reply Line

mgcp-rsp-000-line (ANY)

Matches the MGCP 0yz response acknowledgment.

MGCP 000 Reply Line

mgcp-rsp-100-line (ANY)

Matches the MGCP 1yz provisional response.

MGCP 100 Reply Line

mgcp-rsp-200-line (ANY)

Matches the MGCP 2yz successful completion response.

MGCP 200 Reply Line

mgcp-rsp-400-line (ANY)

Matches the MGCP 4yz permanent error response

MGCP 400 Reply Line

mgcp-rsp-500-line (ANY)

Matches the MGCP 5yz permanent error response.

MGCP 500 Reply Line

mgcp-rsp-800-line (ANY)

Matches the MGCP 8yz package-specific response codes.

MGCP 800 Reply Line

mgcp-rsp-bad-rcode (ANY)

Matches any MGCP invalid response code.

MGCP Invalid Response Code

mgcp-sdp-line (ANY)

Matches MGCP/SDP contents data line.

MGCP SDP Line

mgcp-trans-id (ANY)

Matches the MGCP transaction ID parameter value.

MGCP Transaction ID

Service Contexts: SIP

The table displays the security context details for SIP:

Table 3: Service Contexts: SIP

Context and Direction

Description

Example of Contexts

sip-bad-header (ANY)

Matches SIP hearders with bad syntax.

sip-command-state (ANY)

Matches the state of the SIP connection.

sip-content-any (ANY)

Matches SIP contents portion of packet data.

sip-content-sdp (ANY)

Matches SIP/SDP content data.

SIP INVITE request details: UDP source and destination ports 5060; INVITE method with SIP URI sip:7814878422@192.168.15.100:5060; SDP described in message body; Context pattern 70632 for sip-content-sdp.

sip-display-name (ANY)

Matches the display name of URL in related headers.

Session Initiation Protocol SIP transaction example showing an INVITE request with user Mallory Mastermind and session details.

sip-header-any (ANY)

Matches SIP headers with no designated context.

sip-header-callid (ANY)

Matches the SIP <Call-ID> header.

SIP INVITE request example showing SIP URI sip:7814878422@192.168.15.100:5060, Call-ID field 558-3362304216-522493iptel-sbc3.iptel.wal.verizon.com, and domain verizon.com in sip-header-callid field.

sip-header-from (ANY)

Matches the SIP <From> header.

sip-header-maxforwards (CTS)

Matches the SIP <Max-Forwards> header.

sip-header-to (ANY)

Matches SIP <To> header.

SIP transaction example showing an INVITE request with Request-Line and Message Header fields like Max-Forwards and Session-Expires. The To field, with recipient Mallory Mastermind's SIP URI, is highlighted. From field shows a potential SQL injection attempt, indicating possible security issues.

sip-header-value-len (ANY)

Artificially created context for putting thresholds on a header value.

sip-headr-via (ANY)

Matches the SIP <Via> header.

sip-parameter (ANY)

Matches parsed parameters in the headers.

sip-parameter-bad (ANY)

Matches parsed invalid parameters in the headers.

SIP INVITE request with SQL injection-like pattern in From field; indicates potential security vulnerability in SIP transaction.

sip-reply (STC)

Matches any SIP reply line with the return code.

sip-reply-100-line (STC)

Matches the SIP 1yz Positive Preliminary reply.

sip-reply-200-line (STC)

Matches the SIP 2yz Positive Compleation reply.

sip-reply-300-line (STC)

Matches the SIP 3yz Postive Intermediate reply.

sip-reply-400-line (STC)

Matches the SIP 4yz Transient Negative Completion reply.

sip-reply-500-line (STC)

Matches the SIP 5yz Permanent Negative Completion reply.

sip-reply-600-line (STC)

Matches the SIP 6yz Failure Completion reply.

sip-reply-bad-rcode (STC)

Matches any SIP invalid response code.

sip-request (CTS)

Matches the SIP request command line.

SIP INVITE request field with request line, method, request URI, message header, max-forwards, session-expires, SIP display info. Highlighted request line and URI. Message header details session recipient and sender.

sip-request-unknown (CTS)

Matches the SIP request with unknown command.

sip-sdp-line (ANY)

Matches the SIP/SDP contents data line.

SIP transaction with INVITE request line and Session Description Protocol in message body. Context pattern for SIP-SDP lines using verizon.

sip-unknown-data (ANY)

Matches SIP unknown data.

sip-unknown-header (ANY)

Matches a SIP unknown header.

sip-uri-host (ANY)

Matches the host-name/IP-address of URI in related headers.

SIP transaction example showing an INVITE request with key elements: Request-Line, Request-URI, and Message Header details like Max-Forwards, Session-Expires, and recipient info.

sip-uri-parameter (ANY)

Matches the parameter of URI in related headers.